(s3-notifications): SqsDestination with imported key fails to synth

[markussiebert]

What is the problem?

If you add an sqs destination to a s3 bucket and the sqs is encrypted and uses an imported key, your stack synth will fail with the following error:

throw new Error(`Unable to add statement to IAM resource policy for KMS key: ${JSON.stringify(stack.resolve(this.keyArn))}`);

I think it happens here:

aws-cdk/packages/@aws-cdk/aws-s3-notifications/lib/sqs.ts

Line 26 in d19e538

if (this.queue.encryptionMasterKey) {

This is fine, because the key policy of an imported key cannot be changed, but instead of throwing an error, we should add a warning if the kms key is only an IKey like "Imported key, you have to ensure the following permissions are granted to the kms key"

Reproduction Steps

Create an encrypted SQS with an imported Key
Create a s3 bucket, and add a sqs destination
=> synth the stack, see the error

What did you expect to happen?

The stack should synth with warnings

What actually happened?

An error is thrown, synth fails

CDK CLI Version

all

Framework Version

all

Node.js Version

all

OS

all

Language

Typescript

Language Version

No response

Other information

No response

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.